In recent news, a number of Linux web hosting servers have been infected with a rootkit that has comprised the Secure Shell Daemon (SSHD). User login details are being captured and sent to servers controlled by cyber criminals. It has been reported that the cyber criminals are then logging into the comprised servers using the captured account details and using the servers to send spam or turn them into botnet nodes.
Based on what I have read at this point in time, the exploit mechanism used to install the rootkit has not been clearly identified. Some web hosts are temporarily disabling remote SSH access as a preventive measure.
If you are using Linux-based Web Hosting, you hosting server is likely to be infected if any of the following files exist:
/lib64/libkeyutils.so.1.9
/lib/libkeyutils.so.1.9
Most infected servers have been running cPanel and CentOS, but there are also reports of infections on servers running DirectAdmin, Plesk and non-RHEL based Linux distributions.
If your hosting server is infected, you should:
- Immediately log out of any SSH sessions
- Change your password using cPanel or any alternative online mechanism offered by your service provider
- Notify your web host’s support staff
Do not log into your hosting server via SSH until support staff tell you it is safe to do so.
For more information, check out the following:
CloudLinux – SSHD Rootkit
Web Hosting Talk – SSHD Rootkit Rolling around